A recent study found that 70% of teens text and drive, largely due to FOMO (fear of missing out). These kids are ripe for phishing. But so are many of us. The distractions of life are a phishing campaign’s stock in trade. And while getting got by cybercrime will never be entirely avoidable, knowledge is your best protection.
While it goes without saying that texting and driving is illegal, and inter-galactically stupid, it also makes getting phished more likely (that is, should you survive without maiming or killing yourself or others, and after you get pulled over and ticketed). The reason: the attention directed at every link you click should be equal to that required to drive a car safely.
Of course, texting and driving aren’t the only distractions in life. You know that time of day when work gets particularly hectic? Well so do practiced phishers and that’s often when the skillful ones strike. You’re focused on the tasks at hand, not whether that link in your co-worker’s email looks suspect.
Bottom line: Busy equals distracted, distracted equals vulnerable, and that’s when or why we may not see a phishy link for the security threat it is.
What Is Phishing?
In its simplest form, phishing is the practice of sending a link via email or text or embedding a link on a website that, when clicked, downloads malware onto the user’s device as well as any other devices that are connected to the same network.
From there, any number of things can happen. There are viruses that send hackers your most sensitive logon information, and others that recruit your machine into a botnet used to send illegal spam through networks that can create enough computing power to disable important servers. Your privileged access at work can be grabbed to transfer funds, hijack databases loaded with sensitive customer and employee information or steal intellectual property.
There is a never-ending parade of new phishing attacks. Here are five phishing schemes that have been floating around lately.
- The Game of Thrones Attack
According to SC Magazine, viewers of “Game of Thrones” who illegally download episodes of the HBO phenomenon have been receiving spoofed emails that appear to come from a cable provider, but in fact have been sent by a scammer. The email informs the recipient that an illegal download was detected, and directs him or her to a website where they can pay a penalty to avoid legal repercussions, generally a fee in the hundreds of dollars.
How to avoid it: The easiest way is to obey the law. If you do receive such an email, the best practice is to go online, look up the company that contacted you, and reach out directly to it.
- Facebook Fake Friend Attack
Reportedly, this scam claims a new victim every 20 seconds, so listen up. It all starts with an email announcing that one of your Facebook friends has tagged you in a post. It’s a two-stage attack.
During phase one, a Trojan virus is downloaded that installs a malware-laden extension to users on the Chrome browser. During phase two, when a user logs into his or her Facebook account using the affected browser, scammers get access to the account and use it to further spread the virus among their social network community.
According to Kapersky Labs, “a successful attack gave the threat actor the ability to change privacy settings, extract data and more, allowing it to spread the infection through the victim’s Facebook friends or undertake other malicious activity such as spam, identity theft and generating fraudulent ‘likes’ and ‘shares’.”
How to avoid it: This scam was mainly reported in Brazil, Poland, Peru, Colombia, Mexico, Ecuador, Greece, Portugal, Tunisia, Venezuela, Germany and Israel, but beware, and treat all email as suspect.
- Another Netflix Attack
While this one never gets old, it should. Victims receive an email alerting them to a problem authenticating payment information on a Netflix account. They are directed to what they believe is the official Netflix site to resolve the issue. However, they have actually been redirected to a clone site where they enter their payment information directly into a scammer’s database.
How to avoid it: Always navigate to sites on your own, never follow the link provided, and make sure you have the correct URL address. Often, spoofed sites look quite similar to official websites so you need to look very closely to see the difference.
- A Payroll Attack
While this scam was local and affected very few people, it’s still quite instructive. Three employees of the University of Kansas had their paychecks stolen after they fell for a phishing scam. The email asked employees to update their payroll information, which then allowed the scammers to re-route their paychecks to another account.
How to avoid it: Never click on anything money-related in an email. Always log on to your benefits site, get on the phone, or send an email to an address you have looked up online and know to be correct. If you are in human resources, require an in-person visit with proper identification in order to allow changes to direct deposit payroll.
- LinkedIn Attack
If you receive an email from LinkedIn that is not directly addressed to you with only the vaguest subject line, handle it with your best Internet security tongs, because there is a new phishing campaign out there. This latest attack informs the recipient that if they don’t immediately update their account, it will be terminated. The goal is to get as much of your personally identifiable information as possible.
How to avoid it: Do you really need me to tell you? Don’t. Click. That. Link.
- The Lawyer Ransomware Attack Here’s a local item from Tennessee that could happen anywhere. An email was sent to attorneys that appeared to come from an entity that regulates members of the legal profession. When they clicked through as instructed, in order to view all complaints against them and the fines they faced, ransomware was downloaded onto their computers. The message: Pay if you want access to your data.
How to avoid it: Say it with me now…….Contact the organization directly. Don’t click links.
What Else You Can Do
Many attacks exploit vulnerabilities in earlier versions of software you may already be using. Make sure that all your programs are always updated. A recent exploit involved tainted Microsoft Word attachments that relied on user laxness (i.e., having an old version Microsoft with a vulnerability that was patched in 2012). If the patch was not implemented, the hackers were in.
When it comes to phishing, you can make your own weather. If you are cautious, alert and play it smart, you can stay safer in a decidedly unsafe digital world and better weather the raging cyber storm.